[Git][security-tracker-team/security-tracker][master] Triage CVE-2023-30590/nodejs for buster.
Guilhem Moulin (@guilhem)
guilhem at debian.org
Tue Aug 8 22:03:00 BST 2023
Guilhem Moulin pushed to branch master at Debian Security Tracker / security-tracker
Commits:
62859eb0 by Guilhem Moulin at 2023-08-08T23:00:29+02:00
Triage CVE-2023-30590/nodejs for buster.
This alone doesn't warrant a DLA:
“These design issues in this old API have been around for many years, and
we are not currently aware of any misuse in the ecosystem that falls
into the above scenario. Changing the behavior of the API would be a
significant breaking change and is thus not appropriate for a security
release (nor is it a goal.) The reported issue is treated as CWE-1068
(after a vast amount of uncertainty whether to treat it as a
vulnerability at all), therefore, this change only updates the
documentation to match the actual behavior. Tests are also added that
demonstrate this particular oddity.”
— https://github.com/nodejs/node/commit/1a5c9284ebce5cd71cf7a3c29759a748c373ac85
- - - - -
1 changed file:
- data/CVE/list
Changes:
=====================================
data/CVE/list
=====================================
@@ -13185,7 +13185,9 @@ CVE-2023-30591
CVE-2023-30590
RESERVED
- nodejs <unfixed> (bug #1039990)
+ [buster] - nodejs <postponed> (minor issue - Inconsistency Between Implementation and Documented Design)
NOTE: https://nodejs.org/en/blog/vulnerability/june-2023-security-releases#diffiehellman-do-not-generate-keys-after-setting-a-private-key-medium-cve-2023-30590
+ NOTE: Fixed by: https://github.com/nodejs/node/commit/1a5c9284ebce5cd71cf7a3c29759a748c373ac85 (v16.x)
CVE-2023-30589 (The llhttp parser in the http module in Node v20.2.0 does not strictly ...)
- nodejs <unfixed> (bug #1039990)
[buster] - nodejs <not-affected> (llhttp dependency/embedding introduced in 12.x)
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/62859eb0ab1618d0f9d8362202df6cd1bb826138
--
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/62859eb0ab1618d0f9d8362202df6cd1bb826138
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20230808/e2ae7fd8/attachment-0001.htm>
More information about the debian-security-tracker-commits
mailing list